On a Ubuntu client

On a Windows client

When I change DNS on Ubuntu client to dns-nameservers 192.168.1.1 & Windows client to the same ip of router 192.168.1.1 instead of squid ip(192.168.1.3), then I could access internet on both. This may not be the way to do as the page may be rendered directly from router and may not be from squid server using cache(of-course I could see the logs being generated in /var/log/squid3/cache.log). I also noticed my router blinking for the pages which are already accessed, this may mean it sends the request over internet instead of fetching from squid cache.

I'm still not compromised. If I could still access the visited pages on my client machines from cache having the internet shut down, I will be satisfied.

What is the procedure to configure clients for Squid Transparent Proxy?, anybody guide me please?

Update 2

It's working on previous edition Ubuntu 10.04(lucid) with squid version Squid Cache: Version 2.7.STABLE7, and below is the squid config file worked and I could access internet on client machines when client's gateway & DNS are set to lucid's ip:

I might be stating the obvious, but isn't the whole point of a transparent proxy configuration that you DON'T configure the clients?
–
HBruijnJul 4 '14 at 17:00

No, just mentioned the server configs if it could better debug the issue!.
–
user53864Jul 4 '14 at 17:30

I'm not understanding how to configure squid clients. I could not access internet on client when I use squid's ip(192.168.1.3) as gateway and primary dns server. I think this is the proper way to configure clients!
–
user53864Jul 4 '14 at 17:45

6 Answers
6

Edit the the squid.conf file and change the following line to enable transparent proxy mode:

http_port 3128

to
http_port 3128 intercept

service squid restart
service squid reload

Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth0 is the inside interface with the IP address 192.168.1.3

I already changed it to intercept as suggested by HBruijn. Iptables nat rules are already in place and INPUT to proxy server is not blocked for any port/source, all incoming packets are allowed for now.
–
user53864Jul 11 '14 at 6:32

I tried!, no luck, the result is same. I tried with 3129 port in the squid and also replaced the iptables rules with the new port. I still could not access internet on my client machines.
–
user53864Jul 11 '14 at 7:25

I changed the settings to intercept, the result is same that I could not access internet on clients with 192.168.1.3 as gateway and primary dns. Yes, TCP-IP forwarding is enabled in sysctl.conf.
–
user53864Jul 4 '14 at 17:35

Actually what's the proper way to setup squid client?. Should the DNS be Squid's IP(192.168.1.3) or general router IP(192.168.1.1)?
–
user53864Jul 4 '14 at 17:40

The normal setup is that the router/default gateway a client receives on their DHCP request has a redirect rule, that intercepts outgoing traffic to TCP port 80, and redirects those packets to the transparent proxy. There they'll be processed and the results returned to the client. The DNS used doesn't matter.
–
HBruijnJul 6 '14 at 9:52

So it should just work with the gateway setting at the clients, I still don't know why I couldn't access internet on clients.
–
user53864Jul 6 '14 at 13:23

Like this you will have a classic proxy port (8080) to configure on your clients and an enforcing port for non-encrypted traffic.

Why you should want to do this? Well, if you don't like to have HTTPS-traffic bypassing the proxy (the need to configure ordinary clients anyways) and if you want to support, but don't want to (or cannot) configure, less smart devices or programs.